rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #1397243 - Backport Apache Bug 53098 - mod_proxy_ajp:

Browse Source 
patch to set worker secret passed to tomcat
This commit is contained in:
Luboš Uhliarik 2017-03-30 15:32:35 +02:00
parent c79ba20a8d
commit c58fda3be9
2 changed files with 138 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
httpd-2.4.25-r1738878.patch Normal file
View File

@ -0,0 +1,129 @@
--- a/modules/proxy/ajp.h 2016/04/12 22:47:36 1738877
+++ b/modules/proxy/ajp.h 2016/04/12 23:09:07 1738878
@@ -412,11 +412,13 @@
* @param r current request
* @param buffsize max size of the AJP packet.
* @param uri requested uri
+ * @param secret authentication secret
* @return APR_SUCCESS or error
*/
apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r,
apr_size_t buffsize,
- apr_uri_t *uri);
+ apr_uri_t *uri,
+ const char *secret);
/**
* Read the ajp message and return the type of the message.
--- a/modules/proxy/ajp_header.c 2016/04/12 22:47:36 1738877
+++ b/modules/proxy/ajp_header.c 2016/04/12 23:09:07 1738878
@@ -213,7 +213,8 @@
static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,
request_rec *r,
- apr_uri_t *uri)
+ apr_uri_t *uri,
+ const char *secret)
{
int method;
apr_uint32_t i, num_headers = 0;
@@ -293,17 +294,15 @@
i, elts[i].key, elts[i].val);
}
-/* XXXX need to figure out how to do this
- if (s->secret) {
+ if (secret) {
if (ajp_msg_append_uint8(msg, SC_A_SECRET) ||
- ajp_msg_append_string(msg, s->secret)) {
+ ajp_msg_append_string(msg, secret)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228)
- "Error ajp_marshal_into_msgb - "
+ "ajp_marshal_into_msgb: "
"Error appending secret");
return APR_EGENERAL;
}
}
- */
if (r->user) {
if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) ||
@@ -671,7 +670,8 @@
apr_status_t ajp_send_header(apr_socket_t *sock,
request_rec *r,
apr_size_t buffsize,
- apr_uri_t *uri)
+ apr_uri_t *uri,
+ const char *secret)
{
ajp_msg_t *msg;
apr_status_t rc;
@@ -683,7 +683,7 @@
return rc;
}
- rc = ajp_marshal_into_msgb(msg, r, uri);
+ rc = ajp_marshal_into_msgb(msg, r, uri, secret);
if (rc != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988)
"ajp_send_header: ajp_marshal_into_msgb failed");
--- a/modules/proxy/mod_proxy.c 2016/04/12 22:47:36 1738877
+++ b/modules/proxy/mod_proxy.c 2016/04/12 23:09:07 1738878
@@ -308,6 +308,12 @@
(int)sizeof(worker->s->flusher));
}
}
+ else if (!strcasecmp(key, "secret")) {
+ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) {
+ return apr_psprintf(p, "Secret length must be < %d characters",
+ (int)sizeof(worker->s->secret));
+ }
+ }
else {
if (set_worker_hc_param_f) {
return set_worker_hc_param_f(p, s, worker, key, val, NULL);
--- a/modules/proxy/mod_proxy.h 2016/04/12 22:47:36 1738877
+++ b/modules/proxy/mod_proxy.h 2016/04/12 23:09:07 1738878
@@ -348,6 +348,7 @@
#define PROXY_WORKER_MAX_HOSTNAME_SIZE 96
#define PROXY_BALANCER_MAX_HOSTNAME_SIZE 64
#define PROXY_BALANCER_MAX_STICKY_SIZE 64
+#define PROXY_WORKER_MAX_SECRET_SIZE 64
/* RFC-1035 mentions limits of 255 for host-names and 253 for domain-names,
* dotted together(?) this would fit the below size (+ trailing NUL).
@@ -444,6 +445,7 @@
unsigned int disablereuse_set:1;
unsigned int was_malloced:1;
unsigned int is_name_matchable:1;
+ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */
} proxy_worker_shared;
#define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared)))
--- a/modules/proxy/mod_proxy_ajp.c 2016/04/12 22:47:36 1738877
+++ b/modules/proxy/mod_proxy_ajp.c 2016/04/12 23:09:07 1738878
@@ -193,6 +193,7 @@
apr_off_t content_length = 0;
int original_status = r->status;
const char *original_status_line = r->status_line;
+ const char *secret = NULL;
if (psf->io_buffer_size_set)
maxsize = psf->io_buffer_size;
@@ -202,12 +203,15 @@
maxsize = AJP_MSG_BUFFER_SZ;
maxsize = APR_ALIGN(maxsize, 1024);
+ if (*conn->worker->s->secret)
+ secret = conn->worker->s->secret;
+
/*
* Send the AJP request to the remote server
*/
/* send request headers */
- status = ajp_send_header(conn->sock, r, maxsize, uri);
+ status = ajp_send_header(conn->sock, r, maxsize, uri, secret);
if (status != APR_SUCCESS) {
conn->close = 1;
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868)

11
httpd.spec
View File

@ -8,7 +8,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.25
Release: 6%{?dist}
Release: 7%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@ -68,6 +68,8 @@ Patch57: httpd-2.4.10-sigint.patch
Patch58: httpd-2.4.25-r1778319+.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1434916
Patch59: httpd-2.4.25-r1787141.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch60: httpd-2.4.25-r1738878.patch
# Security fixes
License: ASL 2.0
@ -215,7 +217,8 @@ interface for storing and accessing per-user session data.
%patch56 -p1 -b .uniqueid
%patch57 -p1 -b .sigint
%patch58 -p1 -b .r1778319+
%patch59 -p1 -b .č1787141
%patch59 -p1 -b .r1787141
%patch60 -p1 -b .r1738878
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -687,6 +690,10 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Wed Mar 29 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.25-7
- Resolves: #1397243 - Backport Apache Bug 53098 - mod_proxy_ajp:
patch to set worker secret passed to tomcat
* Tue Mar 28 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.25-6
- Resolves: #1434916 - httpd.service: Failed with result timeout